ratify icon indicating copy to clipboard operation
ratify copied to clipboard
verified publisher icon ratify-project

Support fine-tuned policy scope

Open yizha1 opened this issue 1 year ago • 1 comments

What would you like to be added?

The current default behavior of ratify policies applies universally to all registries. However, there is room for improvement in terms of security posture and flexibility. Rather than a one-size-fits-all approach, it is recommended allowing policies to be applied to various scopes:

  • All: Policies apply to all registries
  • Registry: Policies apply to specific registries.
  • Repository: Policies apply to repositories within various registries.
  • Image: Policies apply to specific images in various registries

The Notary Project’s trust policy supports the scope of all and repository but does not support others. It’s also essential to have this granularity of verifying other artifacts, and different type of artifacts can have different policy scopes.

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

  • [ ] Yes, I am willing to implement it.

yizha1 avatar Mar 01 '24 12:03 yizha1

DIscussed in meeting today , this is feasible today with complex logic in a single rego policy. But we agree this can be improved.

susanshi avatar Aug 01 '24 00:08 susanshi